Storage and network virtualization are fundamental cloud enabling technologies. Storage and network virtualization does to storage and networking what server virtualization did to servers. They take the fundamental components that constitute storage and networking and virtualize them so that multiple virtual storage systems and networks can be multiplexed onto a single set of physical hardware.
The virtualization of cryptographic functions enables the separation of cryptographic computation from the time of a storage or network encryption or decryption event. The invention facilitates this by consuming memory resources in order to time shift computation, therefore creating a new cryptographic virtualization or resource which is tightly coupled with the memory system.
Treating cryptographic computation as a virtual resource enables the application level to handle the encryption and decryption of information by providing a fast way to encode and decode. In this manner, end-to-end encryption of data can be realized, possibly changing the paradigm of confidentiality on current storage and networking systems which are dependent on physical hardware.
The end-to-end argument has been debated in computer science since “End-to-End Arguments in System Design” [1] was put forward in the early 1980s as a central design principle of the Internet. As the Internet matured, block ciphers were often moved into hardware in order to support the throughput requirements present in network communications and storage. This was done via specialized routers capable of encrypting and decrypting packets at wire speed and storage controllers capable of encrypting and decrypting at disk access speed. This paradigm meant encryption and decryption was often in the middle, not at the ends.
Another force driving this line of thought was the sheer fact that each end of communication could not provide adequate rates of encryption and decryption because they were often personal computers or larger computers whose computational bandwith was exhausted due to the demands of multiprocessing.
As the years progressed and processors became powerful enough to execute algorithms such as the Data Encryption Standard (DES), some of the security was moved to the endpoints even though a performance bottle neck would often be created. The goal was to increase the speed of software encryption and eventually a change in the standardized algorithm would move things closer to that goal. As the utilization of the Advanced Encryption Standard (AES) [2] became commonplace, the race to make a software implementation that could keep up with throughput demands was on.
Eventually hardware instructions were added to general purpose processors in the server environment in order to support end-to-end protocols including Transport layer Security (TLS). While these processors could keep up at times, they would often get saturated performing the computation necessary from multiple high bandwidth links. The invention was conceived to support high bandwidth operations without the need to couple all operations with the processor complex at the time of encryption or decryption. Virtual cryptographic services perform the encryption and decryption needed by servers as an abstraction that exists on top of physical hardware.
A key hardware trend that enables the virtualization of encryption and decryption is the improvements we are seeing in PC and server memory systems. In modern computing, memory that is relatively inexpensive and fast can be used to improve performance in many different aspects. Memory is not as scarce of a resource as it has been in the past and it is in this extra memory where cryptographic virtualization is realized. Using a virtual cryptographic resource is not dependent on available processor bandwidth but rather on available memory bandwidth.